JP2017152787A - Communication device and communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication device and a communication system that prevent communication speed reduction due to double congestion control and double re-transmission control by two transmission control protocols (TCP) of a LAN and a WAN.SOLUTION: In a system that communicates using independent protocols terminated at the boundary between a LAN and a WAN, information on communication is shared between the protocols by the session. Then, the system interlinks communication control at the protocols on the basis of the shared information, and thereby suppresses the occurrence of bottlenecks on a network route between transmission and reception terminals.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication device that transmits and receives packets in network communication, a communication system, and a control method and control program for the communication device.

  The use of VPN (Virtual Private Network), which is a network technology that can be used for connection between bases in an in-company network and can communicate with a base in a remote place like communication within the company network, has been spreading.

  When a VPN device is used, communication between terminals is performed by a local LAN (Local Area Network) that is a network between the data transmission terminal and the data transmission side VPN device, and a network between the data transmission side VPN device and the data reception side VPN device. The network is divided into three types: a WAN, a data receiving side VPN device, and a data receiving terminal, which is a network between opposing base LANs.

  Communication between the data transmission terminal and the data transmission side VPN device uses a payload protocol that carries data before being encapsulated by the VPN device. The communication between the data transmission side VPN apparatus and the data reception side VPN apparatus uses a delivery protocol that carries data after being encapsulated by the VPN apparatus. Communication between the data receiving terminal and the data receiving side VPN apparatus is performed in the same manner.

  In general, in LAN and WAN lines, speed differences occur between two lines due to differences in contracted line bandwidth, RTT (Round-Trip Delay Time), packet discard rate, etc., so excessive transmission on one line, etc. If a bottleneck link occurs due to the influence of the other, the other line speed may be adversely affected.

  In communication between terminals, TCP (Transmission Control Protocol) is generally used. In an environment using a VPN device, TCP is often used for both protocols before and after encapsulation.

  In TCP communication, the reception terminal notifies the transmission terminal of the position of the received data with respect to the data transmitted by the transmission terminal. The sending terminal manages parameters such as the congestion window size for congestion control and the receiving window size for window control, and controls the packet transmission amount according to the congestion degree of the network and the receiving performance of the receiving terminal. .

  In particular, when a bottleneck link exists on the network path between the transmitting and receiving terminals and the transmitting and receiving terminals communicate with each other using TCP, performance degradation is caused by double congestion control and double retransmission control by two TCPs. There is a problem that the communication speed decreases.

  Also, if the amount of communication is limited by individually adjusting the TCP parameters of the terminal, the number of terminals is generally enormous compared to the number of communication path control devices, so the man-hours required for terminal setting become enormous. There's a problem.

  As a background art of such a technical field, there is Patent Document 1. This Patent Document 1 describes that “performance deterioration due to double congestion control and double retransmission control by two TCPs is suppressed without changing the setting of the end terminal”.

  In addition, as a technique for speeding up communication via a TCP session at a relay point between two networks, an apparatus for improving the bandwidth of WAN TCP communication (Patent Document 2) is known. Patent document 2 describes that “the transmission bandwidth is improved in an environment where the transmission bandwidth is not greatly affected by the RTT and the discard rate, the RTT is large, the number of hops is large, and there are many discard occurrence places”. ing.

JP 2008-78966 A International Publication WO2011 / 033894

  In the method of Patent Document 1, when there is a bottleneck link on the LAN side, the communication of the entire VPN system cannot be accelerated. In general, the WAN communication band is often smaller than the LAN communication band, but when a device for improving the WAN TCP communication band is used, a LAN-side bottleneck link may occur. In addition, a LAN-side bottleneck link may occur when congestion control, flow control, retransmission control, or the like using a protocol used by a LAN-side terminal is performed.

  Patent Document 2 does not consider a configuration in which a LAN and a WAN are connected by a VPN device.

  That is, in a configuration in which communication of one network protocol (for example, LAN) is terminated and connected to communication of the other network protocol (for example, WAN), when each communication performs communication control independently, As a result, the system as a whole may not be able to speed up properly.

  In order to solve the above-described problems, one aspect of the present invention is a communication device that is connected to a first network and a second network and transmits and receives packets. This device has a first interface connected to the first network, a second interface connected to the second network, and a encapsulation control unit that converts the communication protocol by performing packet encapsulation / decapsulation. A first network side transmission / reception control unit for controlling the packet transmission / reception amount of the first interface based on the first protocol, and a second network for controlling the packet transmission / reception amount of the second interface based on the second protocol. First network side transmission / reception control having a network side transmission / reception control unit, a transmission buffer for holding packets to be transmitted, a reception buffer for holding received packets, and a storage unit for managing a connection for each entry And the second network side transmission / reception control unit Sharing management information for each connection between, on the basis of the shared management information, a communication apparatus characterized by controlling the packet transmission and reception amount.

  Another aspect of the present invention provides a first interface connected to the first network and receiving a packet according to the first protocol, and a first interface connected to the second network and transmitting the packet according to the second protocol. The second interface, the encapsulation controller that converts the protocol between the first protocol and the second protocol by performing the encapsulation / decapsulation of the packet, and the packet transmission / reception amount of the first interface, Control based on the protocol, and the packet transmission / reception amount of the second interface is controlled based on the second protocol, the packet from the first interface, and the first interface through the encapsulation control unit. A packet that can be identified as a packet input And a session path control unit that inputs to the transmission / reception control unit, the transmission / reception control unit transmits a packet from the first interface to the encapsulation control unit, and a packet from the encapsulation control unit, A communication device that transmits to a second interface.

  Another aspect of the present invention is a first terminal, a first communication device, a second communication device, a second terminal, a first network between the first terminal and the first communication device, The communication system includes a second network between the first communication device and the second communication device, and a third network between the second communication device and the second terminal. In this system, a first communication device is connected to a first network and receives a packet according to a first protocol, and is connected to a second network and transmits a packet according to a second protocol. The second interface, the encapsulation controller that converts the protocol between the first protocol and the second protocol by performing packet encapsulation / decapsulation, and the packet transmission / reception amount of the first interface, A transmission / reception control unit for controlling the packet transmission / reception amount of the second interface based on the second protocol, a packet from the first interface, and a encapsulation control unit from the first interface. The input packet is used as input and both are recognized. And tagged to enable, and a session path control unit for inputting the transmission and reception control unit. Here, the transmission / reception control unit is a communication system that transmits a packet from the first interface to the capsulation control unit and transmits a packet from the capsulation control unit to the second interface.

  Another aspect of the present invention is a program for causing hardware to execute the above-described processing procedures, or a computer-readable recording medium on which the program is recorded. Another aspect of the present invention is a communication method including processing executed by the apparatus or the communication system.

  According to the disclosure, in a system in which a plurality of networks each performing protocol communication is connected, communication speed of the entire system can be increased. Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.

System block diagram in which the tunneling device # 1 is installed at the boundary between the local LAN and WAN, and the tunneling device # 2 is set at the boundary between the LAN and WAN at the opposite site Block diagram when input to NIF0 of tunneling device # 1 Block diagram when input to NIF1 of tunneling device # 1 Block diagram of tunneling device # 2 State table block diagram Block diagram showing LAN frame format Block diagram showing the WAN frame format Flowchart of processing at the time of packet input to NIF0 of tunneling apparatus # 1 (200) Flowchart of processing at the time of packet input to the NIF 11 of the tunneling apparatus # 1 (200) Sequence diagram of packets of each control unit TCP in the system of FIG. The figure which shows an example of the hardware constitutions of tunneling apparatus # 1 (200) System diagram with tunneling device # 1-1 installed at the boundary between the local LAN and WAN, and tunneling device # 1-2 at the boundary between the LAN and WAN at the opposite site 11 is a sequence diagram of packets of each control unit TCP in the system of FIG.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. For clarity of explanation, the following description and drawings are omitted and simplified as appropriate. The present invention is not construed as being limited to the description of the embodiments below. Those skilled in the art will readily understand that the specific configuration can be changed without departing from the spirit or the spirit of the present invention.

  In the structures of the invention described below, the same portions or portions having similar functions are denoted by the same reference numerals in different drawings, and redundant description may be omitted.

  In the present specification and the like, notations such as “first”, “second”, and “third” are attached to identify the components, and do not necessarily limit the number or order. In addition, a number for identifying a component is used for each context, and a number used in one context does not necessarily indicate the same configuration in another context. Further, it does not preclude that a component identified by a certain number also functions as a component identified by another number.

  The position, size, shape, range, and the like of each component illustrated in the drawings and the like may not represent the actual position, size, shape, range, or the like in order to facilitate understanding of the invention. For this reason, the present invention is not necessarily limited to the position, size, shape, range, and the like disclosed in the drawings and the like.

  Hereinafter, Example 1 is demonstrated using FIGS. 1-10. In this embodiment, for example, in a system that communicates using an independent protocol that is terminated at a boundary, such as a LAN and a WAN, information related to communication is shared between the protocols for each session. And the technique which suppresses generation | occurrence | production of the bottleneck on the network path | route between transmission / reception terminals by linking communication control by each protocol based on the shared information is provided.

  A specific aspect of the present invention is, for example, a communication device that is connected to a first network and a second network and transmits / receives a packet, and includes a first interface connected to the first network, A second interface connected to the network and a encapsulation control unit that converts the communication protocol by performing packet encapsulation / decapsulation, and controls the packet transmission / reception amount of the first interface based on the first protocol Network side transmission / reception control unit and second network side transmission / reception control unit for controlling the packet transmission / reception amount of the second interface based on the second protocol, holding transmission packet, holding received packet Receive buffer and connection for each entry Having a storage unit having a state table.

  According to the above aspect, information related to communication is shared for each connection between two or more protocols that perform speed control, and based on the shared information by grasping how much communication each other protocol is performing The operations of both protocols are linked to eliminate the LAN side bottleneck link and the WAN side bottleneck link, thereby speeding up the communication of the entire VPN system.

<1. Overall system configuration>
In FIG. 1, the tunneling device # 1 (200) is installed at the boundary between the local LAN # 1 (151) and the WAN (152), and the tunneling device # 2 (300) is installed at the opposite LAN # 2 (153). And a system set at the boundary of WAN (152). In the description of the first embodiment, the configuration of the tunneling device on the data transmission side is the tunneling device # 1, and the configuration of the tunneling device on the data reception side is the tunneling device # 2. However, in practice, the tunneling device # 1 and the tunneling device # 2 may have the same configuration that combines a configuration for transmission and a configuration for reception.

  The tunneling device # 1 (200) is installed at the boundary between the LAN # 1 (151) and the WAN (152), which are local LANs. The tunneling device # 2 (300) is installed at the boundary between the LAN # 2 (153) and the WAN (152) which are the LANs at the opposite bases. In this example, the terminal (101) connected to the LAN # 1 (151) and the terminal (111) connected to the LAN # 2 perform communication via six TCP communications. As is well known, TCP performs flow control (and window control) and congestion control. Flow control and window control control the amount of data that can be transmitted at one time without waiting for an ACK by notifying the transmitting side of the amount of data that can be received by the receiving side. In the congestion control, the congestion state is checked by packet loss or retransmission timeout, and transmission control is performed on the transmission side. Tunneling apparatus # 1 (200) includes network interfaces NIF0 (204), NIF1 (205), a capsule control unit (201), a transmission / reception control unit (202), and a session path control unit (203).

  The tunneling device # 2 (300) includes a network interface NIF0 (305), NIF1 (304), and a encapsulation control unit (301).

  The configuration described in Patent Document 2 can be adopted as the configuration of the tunneling devices # 1 and # 2 such as the transmission rate control, except for portions specifically mentioned in this specification.

  The WAN (152) includes a tunneling device # 1 (200), a tunneling device # 2 (300), and other devices, and a wide area network (WAN) that performs communication using a delivery protocol between these devices. ).

  The LAN # 1 (151) is a local area network (LAN) that includes the tunneling device # 1 (200) and the terminal (101) and communicates between these devices using a payload protocol.

  The LAN # 2 (153) is a local area network (LAN) that includes the tunneling device # 2 (300) and the terminal (111) and communicates between these devices using the payload protocol.

  Further, the tunnel device # 1 (200) and the tunnel device # 2 (300), which are gateway devices, are connected to each other so that the LAN # 2 (153) and the LAN # 1 (151) operate as the same LAN. Yes. For this reason, each terminal in LAN # 1 (151) and each terminal in LAN # 2 (153) can communicate freely between the terminals without being aware of WAN.

  The tunneling device # 1 (200) is connected to the network using the delivery protocol with the tunneling device # 2 (300) on the WAN (152). The tunneling device # 1 (200) encapsulates the Ethernet (registered trademark) frame (the frame output from the end terminal) from the LAN # 1 (151) and transfers it to the WAN (152). The tunneling device # 1 (200), on the other hand, cancels (decapsulates) the Ethernet frame capsulation sent from the tunneling device # 2 (300) through the WAN (152), and the LAN # 1 (151) The remote LANs are connected to each other via the WAN.

  Encapsulation refers to converting the Ethernet frame (400) of FIG. 5 (described later) into the Ethernet frame (500) of FIG. 6 (described later), and decapsuling refers to converting the Ethernet frame (500) of FIG. To an Ethernet frame (400).

  The terminal (101) is a computer normally used by a LAN user, and an application (for example, a WEB browser / server, an FTP client / server, a file sharing client / server, etc.) for communicating with the terminal (111). ) And TCP and IP protocols operate. The terminal (111) has the same configuration as the terminal (101) and performs the same operation.

  In this embodiment, it is assumed that the tunneling device # 1, the tunneling device # 2, and the terminal have a computer function. As is well known, the computer has a configuration of a processing device, a storage device, an input device, and an output device. In this embodiment, functions such as calculation and control are realized in cooperation with other hardware by executing a program stored in the storage device by the processing device. In the present embodiment and each diagram of the embodiment, a program executed by the processing apparatus, its function, or means for realizing the function are “function”, “means”, “unit”, “unit”, “module”. Sometimes referred to as “TCP”, “IP” or the like.

  In the following description, the configuration of the present embodiment will be described using expressions such as “˜table”, “˜list”, “˜DB (Database)”, “˜queue”, “information”, etc., but these are stored in memory. Information stored in the device. As long as the information is equivalent, it may be expressed in a data structure other than a table, list, DB, queue, or the like.

  Further, in describing the contents of each information, the expressions “identification information”, “identifier”, “name”, “name”, and “ID (IDentification)” are used, but these can be replaced with each other. .

  In the present embodiment, the function equivalent to the function configured by the program can be realized by hardware such as FPGA (Field Programmable Gate Array) and ASIC (Application Specific Integrated Circuit), and can be replaced as appropriate.

<2. Configuration Example of Tunneling Device # 1>
2A and 2B are block diagrams of the tunneling apparatus # 1 (200). 2A shows a data flow when the NIF0 (204) receives a packet from the LAN # 1 (151), and FIG. 2B shows a data flow when the NIF1 (205) receives a packet from the WAN (152). ing. Tunneling apparatus # 1 (200) includes network interfaces NIF0 (204) and NIF1 (205), a capsule control unit (201), a transmission / reception control unit (202), a session path control unit (203), and a storage unit (206). ).

  The NIF0 (204) receives the frame (data) from the LAN (151) and sends it to the tag management unit 0 (240) (FIG. 2A). Conversely, the data is received from the tag management unit 0 (240) and transmitted to the LAN (151) (FIG. 2B).

  The NIF 1 (205) receives the frame (data) from the WAN (152) and sends it to the tag management unit 1 (241) (FIG. 2B). Conversely, data is received from the tag management unit 1 (241) and transmitted to the WAN (152) (FIG. 2A).

  The storage unit (206) includes a state table (207), sbuf0 (225) as a transmission buffer of the transmission / reception control unit (202), rubuf0 (226) as a reception buffer, and sbuf1 as a transmission buffer of the encapsulation control unit (201). (208) and rbuf1 (209) which is a reception buffer.

  The session path control unit (203) includes a tag management unit 0 (240) and a tag management unit 1 (241). In this embodiment, the session path control unit (203) controls the packet output destination within the same device by attaching and detaching tag information, so that the communication on the LAN side installation device and the communication on the WAN side installation device are the same. It is possible to perform using the transmission / reception control unit (202).

  The tag management unit 0 (240) and the tag management unit 1 (241) attach / detach the tag (information) and perform packet transfer according to the received packet.

  The encapsulation control unit (201) includes a encapsulation unit (210), a TCP (211), an IP (212), and a transfer destination determination unit (213).

  The encapsulation control unit (201) inputs / outputs packets to / from the transmission / reception control unit (202), and performs encapsulation / decapsulation of packets.

  The encapsulation unit (210) passes the Ethernet frame received from the transfer destination determination unit (224) as data to the TCP (211) for encapsulation (FIG. 2A). Conversely, data is extracted from the Ethernet frame received from the TCP (211), decapsulated, and passed to the transfer destination determination unit (224) (FIG. 2B).

  The TCP (211) determines the transmission rate (data transmission speed) based on both the reception window size notified to the TCP (211) and the congestion window size of the TCP (211), performs congestion control, and encapsulates. The data passed from (210) is transmitted to IP (212) (FIG. 2A).

  The TCP (211) of the encapsulation control unit (201) receives the data transmitted from the TCP (222) of the transmission / reception control unit (202), and performs a confirmation response to receive the packet and notify the reception window ( FIG. 2A).

  TCP (211) restores the order reversal, frame loss, and division of the received packet, and transfers them to the encapsulation unit (210) (FIG. 2B).

  Further, it is assumed that the maximum segment size (MSS) in TCP (211) is a size that is not divided (fragmented) by exchange with TCP (311) or TCP (222).

  The IP (212) receives data from the TCP (211) and adds a header (see FIG. 6 described later) necessary for WAN communication such as an IP header (502) and a MAC header (501) to form a frame. The data is transferred to the transfer destination determination unit (213) (FIG. 2A). Also, the MAC header (501) and IP header (502) of the frame received from the transfer destination determination unit (213) are removed and transferred to the TCP (211) (FIG. 2B). Further, various protocol processes necessary for WAN communication such as ARP (Address Resolution Protocol) and DHCP (Dynamic Host Configuration Protocol) are performed.

  The transfer destination determination unit (213) receives data from the IP (212) and sends the data to the tag management unit 0 (240) (FIG. 2A). Conversely, data is received from the tag management unit 0 (240) and transmitted to the IP (212) (FIG. 2B).

  The transmission / reception control unit (202) includes a TCP (222), an IP (223), and a transfer destination determination unit (224).

  The transmission / reception control unit (202) sends a proxy response to the packet that has entered from the first interface NIF0 (204) connected to the LAN # 1 (151), and the transmission / reception control unit (202) and the local terminal (101) By terminating the session, a new session is generated and communication on the LAN side is performed. In addition, a proxy response is made to the packet entered from the second interface NIF1 (205) connected to the WAN (152), and a new session is generated by terminating the session between the transmission / reception control unit and the opposite base terminal, Performs communication on the WAN side. Further, by referring to and writing the status table (207), information on LAN side communication and WAN side communication is shared, and each communication is appropriately controlled.

  The transfer destination determination unit (224) determines whether or not the received packet is tagged. If there is tag information, the transfer destination determination unit (224) transfers the packet to the encapsulation unit (210) of the encapsulation control unit (201). When there is no tag information, the packet is transferred to the tag management unit 1 (241) of the session path control unit (203) (FIG. 2A).

  TCP (222) works in the same way as TCP (211). IP (223) works in the same way as IP (212). In FIG. 2, the solid line indicates the packet flow, and the dotted line indicates the state of data reference, writing, and deletion in the state table 1001.

<3. Configuration Example of Tunneling Device # 2>
FIG. 3 shows a block diagram of tunneling apparatus # 2 (300). The tunneling apparatus # 2 (300) includes a network interface NIF0 (304), NIF1 (305), and a encapsulation control unit (301).

  The encapsulation control unit (301) includes a encapsulation unit (310), a TCP (311), and an IP (312).

  The storage unit (306) includes a status table (307), a TCP (311) transmission buffer sbuf1 (308), and a reception buffer rbuf1 (309).

  In FIG. 3, the solid line indicates the packet flow, and the dotted line indicates the state of data reference, writing, and deletion in the state table 1001.

<4. State table>
FIG. 4 is a table of the state table (207) stored in the storage unit (206) of the tunneling apparatus # 1 (200).

  The status table (207) includes an index (2070) for entry management, a transmission source IP address (2071), a transmission source TCP port number (2072), a transmission destination IP address (2073), and a transmission destination TCP port number (2074). Is stored. These pieces of information are information for specifying an entry, an address, and a port, and are used for normal communication control such as specifying a session.

  Further, the session path type (2075), which is tag information for attaching / detaching to / from the packet for packet transmission destination control, is stored. The session path type is information that can identify a session in the apparatus.

  In addition, the status table (207) arranges and temporarily stores a pointer for managing a transmission buffer, which is a buffer for temporarily storing a transmitted packet until an ACK is returned for the transmitted packet, and a received packet. It has a reception buffer / transmission buffer management pointer (2076) which is a pointer for managing a reception buffer which is a buffer to be stored. Further, a TCP state (2077) which is state information such as OPEN / CLOSE of each control unit TCP is provided. The TCP state (2077) indicates an access state to the state table (207) of the TCP (222) of the transmission / reception control unit (202) and the TCP (211) of the encapsulation control unit (201).

  In addition, the status table (207) includes a reception window size (2079) indicating the size of data that can be transmitted from the partner to the partner notified by TCP, and the size of data that can be transmitted to the partner when performing congestion control using TCP. A congestion window size (20710) is provided.

  Further, the state table (207) includes a transmission rate (A) (20710) determined by the TCP (222) of the transmission / reception control unit (202) and a transmission determined by the TCP (211) of the encapsulation control unit (201). The rate (B) (20711) is stored.

  The status table (207) manages these data for each connection. Here, the connection means a logical line for performing data communication between communication devices. In the present embodiment, the LAN (151, 153) and the WAN (152) are linked and controlled using these pieces of information.

  In addition, the TCP information holds the throughput, the packet discard rate, the RTT, etc. as information for speeding up the communication instead of or in addition to the reception window size (2078) and the congestion window size (2079). May be. The throughput may be calculated as RTT ÷ receiving window size. By using these pieces of information, the transmission / reception control unit (202) of the tunneling apparatus # 1 can know the state of communication performed by the WAN (152), and control its own communication based on this. Can do.

  The state table has N entries (N is an integer of 1 or more). An entry is information of 2070 to 20711 for each connection. Note that the state table (307) of the tunneling apparatus # 2 also has a configuration that is partially in common with the state table (207).

<5. Explanation of overall operation>
Hereinafter, with reference to FIG. 1 to FIG. 4, the operation in the present embodiment will be described using an example in which a packet is transmitted from the terminal (101) to the terminal (111). In the following description, it is assumed that the session is already registered in the state table (207).

  The TCP (102) of the terminal (101) transmits a packet for the TCP (112) of the terminal (111) via the IP (103) and NIF0 (104) (FIG. 1).

  The NIF0 (204) of the tunneling apparatus # 1 (200) receives the packet transmitted by the TCP (102) of the terminal (101) via the LAN # 1 (151). The NIF0 (204) transfers the received packet to the session path control unit (203) (FIG. 1).

  The session path control unit (203) receives the packet, and adds a tag 1 (5000: described later in FIG. 5) to indicate that the packet has passed through the session path control unit. Thereafter, the packet is transferred to the transmission / reception control unit (202) (FIG. 1).

  The TCP (222) of the transmission / reception control unit (202) receives the packet and registers the received packet in the transmission / reception buffer (225, 226). Also, the reception window size notified from the TCP (102) of the terminal (101), the congestion window size of the TCP (222), the transmission rate (packet transmission speed) based on the information in the state table (207), etc. Determine the control information. Then, the packet is transferred to the tag management unit 1 (241) or the encapsulation control unit (201) of the session path control unit (203) via the IP (223) and the transfer destination determination unit (224) according to the tag state. To do. In the example described later, when there is one tag (through the session path control unit (203) once), the packet is transmitted to the encapsulation control unit (201). When there are two tags (via the session path control unit (203) twice), the packet is transmitted to the tag management unit 1 (241) of the session path control unit (203).

  At this time, the TCP (222) determines the transmission rate in consideration of other TCP sessions by referring to the state table (207), and uses the information as the transmission rate (A) (20710) of the state table (207). (FIGS. 1, 2A, and 4).

  When TCP (222) receives the packet, it returns ACK as a proxy response via the tag management unit (240) of the session path control unit (203). Since the ACK is returned by the TCP (222) of the transmission / reception control unit (202) of the tunneling apparatus # 1 (200), a value based on the TCP (222) is used for the reception window size notification.

  The encapsulation control unit (201) of the tunneling apparatus # 1 (200) encapsulates the packet received via the transfer destination determination unit (213) by the encapsulation unit (210), and converts the received packet to the TCP (211). Forward. When the TCP (211) receives the packet, the packet is stored in the transmission buffer (208), the reception window size notified from the TCP (222), the congestion window size of the TCP (211), and the information in the state table (207). The transmission rate (packet transmission rate) is determined based on the above. Then, the packet is transferred to the tag management unit 0 (240) of the session path control unit (203) via the IP (212) and the transfer destination determination unit (213). At this time, the TCP (211) refers to the state table (207) to determine the transmission rate in consideration of other TCP sessions, and the information is transmitted to the transmission rate (B) (20711) of the state table (207). ) (FIGS. 1, 2A, and 4). Various known methods can be adopted as a method for determining the transmission rate. For example, the transmission rate may be increased or decreased in accordance with the tendency of the transmission rate of other sessions.

  The tag management unit 0 (240) of the session path control unit (203) of the tunneling apparatus # 1 (200) receives a packet from the TCP (211), and indicates that the received packet has passed through this session path control. Tag 2 (6001: which will be described later with reference to FIG. 6). Thereafter, the packet is transferred to the TCP (222) of the transmission / reception control unit (202). At this time, two tags (tag 1 (6000) and tag 2 (6001)) are added to the packet.

  The TCP (222) receives the packet and registers the received packet in the transmission / reception buffer (225, 226). The TCP (222) sets the transmission rate (packet transmission speed) based on the reception window size notified from the TCP (211), the congestion window size of the TCP (222), and the information in the state table (207). decide. When there are two tags attached to the packet via the IP (223) and the transfer destination determination unit (224), the packet is transferred to the tag management unit 1 (241) of the session path control unit (203). To do. Alternatively, if there is one tag, the packet is transferred to the encapsulation control unit (201).

  At this time, the TCP (222) determines the transmission rate in consideration of other TCP sessions by referring to the state table (207), and uses the information as the transmission rate (A) (20710) of the state table (207). Write to (overwrite). At this time, since the contents of the state table reflect the state of the TCP (211), the set transmission rate reflects the state of the encapsulation control unit (201).

  When a packet is received, ACK is returned as a proxy response via the tag management unit (240) of the session path control unit (203). Since the ACK is returned by the TCP (222) of the transmission / reception control unit (202) of the tunneling apparatus # 1 (200), a value based on the TCP (222) is used for the reception window size notification.

  Tag management unit 1 (241) of session path control unit (203) of tunneling apparatus # 1 (200) receives a packet from transfer destination determination unit (224) of transmission / reception control unit (202), and tags from the received packet Is deleted. Thereafter, the packet is transferred to the NIF1 (205) (FIGS. 1 and 2A).

  The NIF0 (205) in the tunneling apparatus # 2 (300) receives the packet from the WAN (152), extracts the WAN DATA (504) from the packet, and transfers it to the TCP (311) (FIGS. 1 and 3).

  When TCP (311) receives the packet, it stores it in the transmission buffer (208), and transfers the packet to the terminal (111) via IP (302) and NIF0 (305).

  The TCP (311) sends a confirmation response to the TCP (222) and notifies the reception window size of the TCP (311) (FIGS. 2A and 3).

  The NIF0 (114) of the terminal (111) receives the packet and transfers the received packet to the TCP (112). When the TCP (112) receives the packet, it notifies the TCP (112) of the reception window size and confirms the response (FIG. 1).

<6. Frame format>
FIG. 5 is a block diagram showing a LAN frame format. FIG. 5 shows the LAN # 1 (151) (for example, between the terminal (101) and the tunneling device # 1 (200)) and the LAN # 2 (153) (for example, the terminal (111) and the tunneling device # 2 (300)). It is a figure which shows the format of the Ethernet frame (400) transmitted / received between.

  The LAN MAC (401) is a header (MAC DA, MAC SA, Ethernet (registered trademark) TYPE) necessary for performing communication at Layer 2 (Ethernet) in LAN # 1 (151) or LAN # 2 (153). Etc., a header specified in IEEE).

  LAN IP (402) is a header (IP DA, IP SA, IP TYPE, and other IETF) necessary for performing communication at Layer 3 (IP) in LAN # 1 (151) or LAN # 2 (153). A specified header).

  The LAN TCP (403) is a header (TCP header such as port number and sequence number) necessary for performing TCP communication between each device existing in the LAN # 1 (151) or LAN # 2 (153). Is shown.

  The LAN DATA (404) is data exchanged between software (between the terminal 101 and the terminal 102) operating on each device existing in the LAN # 1 (151) or the LAN # 2 (153).

  A tag 1 (5000, 6000) and a tag 2 (6001) indicate tags to be detached by the tag management unit (240, 241) based on the session path type (2075) of the status table (207) in this embodiment. . This tag is used to identify the session within the device. The tags (5000, 6000, 6001) are detached by the tag management unit (240, 241) and used to determine whether the packet has arrived from an external network or passed through the apparatus. That is, when the tag is one tag 1 (5000), it passes through the session path control unit (203) once from the LAN # 1 (151) via the NIF0 (204), and the transmission / reception control unit (202). Indicates that the packet is input to. Further, when there are two tags, tag 1 (6000) and tag 2 (6001), they are further input to the transmission / reception control unit (202) via the transmission / reception control unit (202) and the encapsulation control unit (201). Indicates a packet.

  The position where the tag is attached need not be limited to the position shown in FIG. In this embodiment, the same tag 2 (6001) as the information indicating the session path type (2075) is used as the tag 2 (6001) indicating the packet route. Other information, for example, a counter that is incremented every time tag management 0 (240) is passed may be used.

  FIG. 6 is a block diagram showing a WAN frame format. FIG. 6 is a block diagram showing a format of an Ethernet frame (500) transmitted / received between the tunneling device # 1 (200) and the tunneling device # 2 (300).

  The WAN MAC (501) indicates a header (MAC DA, MAC SA, Ethernet TYPE, etc., a header specified in IEEE) necessary for performing communication at Layer 2 (Ethernet) on the WAN (152). .

  WAN IP (502) indicates a header (IP DA, IP SA, IP TYPE, etc., a header specified in IETF) necessary for performing communication at Layer 3 (IP) on WAN (152). .

  The WAN TCP (503) indicates a header (TCP header such as a port number and a sequence number) necessary for performing communication by TCP between each device existing in the WAN (152).

  The WAN DATA (504) is data exchanged between applications (such as between the tunneling device # 1 (200) and the tunneling device # 2 (300)) operating on each device existing in the WAN (152).

  The WAN DATA (504) stores an Ethernet frame (400) that flows on the LAN # 1 (151) or the LAN # 2 (153).

  WAN DATA (504) may be encrypted using SSL (Secure Socket Layer), IPsec, or the like. In that case, information for encryption or decryption (for example, a public key or an encryption key) may be added to the state table (207).

<7. Processing flow at the time of input to NIF0 of tunneling device # 1>
FIG. 7 is a flowchart of processing when a packet is input to NIF0 of tunneling apparatus # 1 (200).

  The tunneling device # 1 (200) manages the packet transmission destination by attaching / detaching tag information to / from the packet and updating and managing the status table. The same transmission / reception control unit is connected to the LAN side and WAN side TCP in the same device. It can be used for communication.

  With reference to FIGS. 7 and 2A, a method of attaching / detaching tag information to / from the packet of NIF0 of tunneling apparatus # 1 (200) and a method of managing state table update will be described.

  In step 1002, a packet entered in NIF0 (204) of tunneling apparatus # 1 (200) is received. The packet received at this time has the Ethernet frame (400) format. The received packet is transferred to the tag management unit 0 (240) of the session path control unit (203) in the same format.

  In step 1003, the tag management unit 0 (240) of the session path control unit (203) receives a packet from the NIF0 (204) or the transfer destination determination unit (213) of the encapsulation control unit (201).

  For a packet received from the NIF0 (204) or the transfer destination determination unit (213) of the encapsulation control unit (201), the tag management unit 0 (240) refers to the state table (207) and transmits the source IP address (2071). ), The transmission source TCP port number (2072), the transmission destination IP address (2073), and the transmission destination TCP port number (2074) are confirmed to match the information of the received packet.

  As a result of the confirmation, if any one does not match, it is determined that a new TCP session has occurred, and 2071 to 2074 are registered as new entries in the status table (207). At this time, information of N bytes (N is 1 or more) indicating a session number is registered in the session path type (2075) as tag information. If all match, it is determined that the TCP session is already registered in the status table (207), and no entry is added to the status table (207). Communication control is linked between the first network and the second network by the tag.

  When the packet is received from the NIF0 (204), the tag management unit 0 (204) sends the source IP address (2071), source TCP port number (2072), destination IP address (2073) of the status table (207). ) And the entry with the same destination TCP port number (2074) are searched for. If there is a matching entry, the tag management unit 0 (204) attaches an N-byte tag 1 (5000) indicating the session number to the head of the packet received based on the session path type (2075) of the entry. Then, the data is transferred to the IP (223) of the transmission / reception control unit (202).

  When the packet is received from the transfer destination determination unit (213) of the encapsulation control unit (201), the tag management unit 0 (204) displays the transmission source IP address (2071) and the transmission source TCP port number of the status table (207). (2072), the destination IP address (2073), and the entry having the same destination TCP port number (2074) are searched. In the case of a packet received from the transfer destination determination unit (213), tag 1 (6000) is already attached. If there is a matching entry, the tag management unit 0 (204) attaches an N-byte tag 2 (6001) indicating a session number to the head of the packet received based on the session path type (2075) of the entry. And transfer to the IP (223) of the transmission / reception control unit (202).

  In step 1004, the IP (223) of the transmission / reception control unit (202) receives the packet from the tag management unit 0 (240). The IP (223) removes the MAC header and IP header of the received packet and transfers them to the TCP (222).

  In step 1005, the TCP (222) of the transmission / reception control unit (202) receives a packet from the IP (223).

  In steps 1006 to 1007, the TCP (222) stores the received packet in sbuf 0 (225) of the storage unit (206), and updates the reception buffer / transmission buffer management pointer (2077) of the status table (207). Thereafter, TCP (222) forwards the packet to IP (223).

  In step 1008, the IP (223) restores the MAC header, the IP header, etc. removed by the IP (223) of the received packet, and transfers them to the transfer destination determination unit (224).

  In step 1009, the transfer destination determination unit (224) of the transmission / reception control unit (202) receives a packet from the IP (223). The transfer destination determination unit (224) determines the state of the tag of the packet, and when there is only one tag, that is, only tag 1 (5000), transfers the packet to the encapsulation unit (210) of the encapsulation control unit (201). . If there are two tags, that is, tag 1 (6000) and tag 2 (6001), the packet is transferred to tag management unit 1 (241) of session path control unit (203). The packet transferred at this time is an Ethernet frame (500) and its head 2 * N bytes with tag information added.

  Step 1010 is processing when the packet has one tag. Here, the encapsulation unit (210) of the encapsulation control unit (201) receives the packet from the transfer destination determination unit (224). The Ethernet frame (400) is encapsulated by the encapsulation unit (210) into an Ethernet frame (500) and converted into WAN DATA (504). When encapsulating, the tag information of the first N bytes is used only in the tunneling apparatus # 1 (200), and therefore is removed once. The encapsulation unit (210) transfers the packet to the TCP (211).

  In steps 1011 to 1012, the TCP (211) of the encapsulation control unit (201) receives a packet from the encapsulation unit (210). The TCP (211) stores the received packet in sbuf0 (208) of the storage unit (206), and updates the reception buffer / transmission buffer management pointer (2077) of the status table (207). Thereafter, the TCP (211) transfers the packet to the IP (212).

  In step 1013, the IP (212) returns the MAC header and IP header of the received packet together with the tag information, and transfers the packet to the transfer destination determination unit (213).

  In step 1014, the transfer destination determination unit (213) receives a packet from the IP (212). At this time, the packet received by the transfer destination determination unit (213) has the format of the Ethernet frame (500). The transfer destination determination unit (213) refers to the status table (207) and adds the N-byte tag information removed in step 1010 to the head of the packet of the Ethernet frame (500). The transfer destination determination unit (213) transfers the packet to the tag management unit 0 (240) of the session path control unit (203).

  Step 1015 is processing when there are two tags in the packet. Here, the tag management unit 1 (241) of the session path control unit (203) receives a packet from the transfer destination determination unit (224) of the transmission / reception control unit (202). At this time, the packet received by the tag management unit 1 (241) is obtained by adding tag information of 2 * N bytes to the format of the Ethernet frame (500). That is, as shown in FIG. 6, an N-byte tag 1 (6000) and an N-byte tag 2 (6001) are attached. The tag management unit 1 (241) deletes the 2 * N-byte tag information and transfers the packet to the NIF1 (205).

  In step 1016, the packet received by NIF1 (205) is output.

<8. Processing flow at the time of input to NIF1 of tunneling device # 1>
FIG. 8 is a flowchart of processing when a packet is input to the NIF 1 of the tunneling apparatus # 1 (200). 8 and 2B, a method of attaching / detaching tag information to / from the packet and an update management method of the state table will be described by taking the packet input to the NIF 1 (205) of the tunneling apparatus # 1 (200) as an example.

  In step 1102, the packet received in the NIF 1 (205) of the tunneling apparatus # 1 (200) is received. The packet received at this time has the Ethernet frame (500) format. The received packet is transferred to the tag management unit 1 (241) of the session path control unit (203) in the same format.

  In step 1103, the tag management unit 1 (241) of the session path control unit (203) receives a packet from the NIF1 (205). For the packet received from the NIF 1 (205), the tag management unit 1 (241) refers to the state table (207), and transmits the source IP address (2071), the source TCP port number (2072), and the destination IP address. (2073) and whether the destination TCP port number (2074) matches the information of the received packet.

  As a result of the confirmation, if any one does not match, it is determined that a new TCP session has occurred, and 2071 to 2074 are registered as new entries in the status table (207). At this time, the defined N-byte information indicating the session number is registered in the session path type (2075) as tag information.

  If all match, it is determined that the TCP session is already registered in the status table (207), and no entry is added to the status table (207). At this time, the tag management unit 1 (241) adds tag information to the packet based on the session path type (2075) of the entry registered in the status table (207). Thus, the packet transferred from the tag management unit 1 (241) is obtained by adding the tag 1 (6000) to the Ethernet frame (500) and the first N bytes.

  In step (1104), the transfer destination determination unit (224) of the transmission / reception control unit (202) receives a packet from the tag management unit 1 (241). The transfer destination determination unit (224) transfers the received packet as it is to the IP (223).

  In step (1105), the IP (223) receives the packet from the transfer destination determination unit (224). The IP (223) removes the MAC header and IP header of the received packet and transfers them to the TCP (222).

  In steps (1106 to 1108), the TCP (222) of the transmission / reception control unit (202) receives a packet from the IP (223). The TCP (222) stores the received packet in rbuf0 (225) of the storage unit (206), and updates the reception buffer / transmission buffer management pointer (2077) of the status table (207). Thereafter, TCP (222) forwards the packet to IP (223).

  In step (1109), the IP (223) restores the MAC header and IP header removed by IP (223) of the received packet to the tag management unit 0 (240) of the session path control unit (203). Forward.

  In step (1110), the tag management unit 0 (204) of the session path control unit (203) receives a packet from the IP (223). The packet received at this time is an Ethernet frame (500) and an Ethernet frame (400) to which tag information is added to the first N bytes, or tag information is not added.

  When tag information is added, the tag management unit 0 (204) deletes the tag information and transfers the packet to the transfer destination determination unit (213) of the encapsulation control unit (201).

  When tag information is not added, the tag management unit 0 (204) transfers the packet to the NIF0 (204) as it is.

  In step (1111), the transfer destination determination unit (213) of the encapsulation control unit (201) receives the packet. The transfer destination determination unit (213) temporarily removes the tag information of the first N bytes of the received packet and transfers it to the IP (212).

  In step (1112), the IP (212) of the encapsulation controller (201) receives the packet. The IP (212) removes the MAC header and IP header of the received packet and transfers them to the TCP (211).

  In steps (1113 to 1115), the TCP (211) stores the received packet in rubuf1 (209) of the storage unit (206), and updates the reception buffer / transmission buffer management pointer (2077) of the status table (207). To do. Thereafter, the TCP (211) transfers the packet to the encapsulation unit (210).

  In step (1116), the encapsulation (210) of the encapsulation controller (201) receives the packet. The encapsulation unit (210) decapsulates the Ethernet frame (500) and takes out the Ethernet frame (400). The extracted Ethernet frame (400) is transferred to the transfer destination determination unit (224) of the transmission / reception control unit (202). The encapsulation unit (210) refers to the state table (207), and adds the N-byte tag information removed in step 1111 to the head of the packet of the Ethernet frame (400).

  In step (1117), the packet received by NIF1 (205) is output.

  7 and 8 can be dealt with by the information processing apparatus (computer) controlling hardware resources by software.

<9. TCP packet sequence>
FIG. 9 is a sequence diagram of packets of each control unit TCP in the system of FIG. FIG. 9 illustrates a method of returning an ACK when the transmission / reception control unit (202) of the tunneling apparatus # 1 (200) in this embodiment makes a proxy response to the transmission terminal (101). A sequence diagram when two data packets (DATA # 1 (651), DATA # 2 (656)) are transmitted toward (111) is shown.

  In the figure, although the transmission / reception control units (202A) and (202B) have the same physical configuration, they are distinguished in the packet transmission sequence. The transmission / reception control unit (202A) corresponds to the processing of the packet that has entered from the NIF0 (204) via the tag management 0 (240) in FIG. 2A. The transmission / reception control unit (202B) in FIG. 213) corresponds to the processing of the packet that has entered via the tag management 0 (240). As an embodiment, two transmission / reception control units may be provided, but in this embodiment, a tag is added to a packet so that it operates with one transmission / reception control unit.

  The transmission / reception control unit (202A) of the tunneling apparatus # 1 (200) does not send back an ACK even if it receives DATA # 1 (651) which is the first packet by flow control. After receiving the second packet DATA # 2 (656), the transmission / reception control unit (202A) of the tunneling apparatus # 1 (200) receives ACK # 1 (661) which is an ACK packet for the first packet. Reply.

  Even if terminal (101) transmits DATA # 2 (656), which is the second packet, it has only received ACK # 1 (661) for the second packet, so transmission has not been completed. It is still judged.

  The transmission / reception control unit (202B) of the tunneling apparatus # 1 (200) receives the second packet DATA # ′ 2 (DATA # 2) (658), and then receives an ACK for the first packet (653). ACK # ′ 1 (662) which is a packet is returned as a proxy response. At this time, since the WAN DATA (504) of ACK # ′ 1 (662) is empty, when the encapsulation control unit (201) decapsulates, the WAN DATA (504) does not contain a packet, and the encapsulation control unit ( 201) does not return to the transmission / reception control unit (202B).

  When the encapsulation control unit (201) of the tunneling apparatus # 1 (200) receives ACK # 1 (664), which is a non-empty ACK packet, the WAN DATA (504) decapsulates the packet, and the first packet Is transmitted to the transmitting side as ACK # 1 (663), which is an ACK packet for.

  Only when DATA # 2 (666), which is the second packet, arrives at the terminal (111) from the encapsulation control unit (301) of the tunneling apparatus # 2 (300), the last ACK # 2 for the second packet is received. (671) is returned from the terminal (111), and the terminal (111) determines that the reception is completed.

  When receiving the ACK # 2 (671) that is the last ACK packet, the encapsulation control unit (301) of the tunneling device (300) encapsulates the packet and ACK ′ that is the last ACK packet for the second packet. It is transmitted to the transmitting side as # 2 (ACK # 2) (670).

  When the transmission / reception control unit (202B) of the tunneling apparatus # 1 (200) receives ACK # 2 (670) that is the last ACK packet, ACK ′ # 2 (ACK) that is the last ACK packet for the second packet is received. # 2) Transmit to the transmitting side as (669).

  The encapsulation controller (201) of the tunneling apparatus # 1 (200) decapsulates the received packet and transmits it to the terminal (101) as ACK # 2 (667) which is the last ACK packet for the second packet. .

  The terminal (101) receives ACK # 2 (667), which is the last ACK packet, and determines that transmission is completed.

  Unless the terminal (111) determines that the reception is completed, the last ACK packet is not returned to the terminal (101), and the terminal (101) does not determine that the transmission is completed. Communication is not terminated without receiving a packet.

  The capsulation control unit TCP (201) returns an ACK from the encapsulation control unit (201) to the transmission / reception control unit (202A) in response to ACK # '1 (662) returned by the transmission / reception control unit (202B) as a proxy response. In ACK '# 1 (ACK # 1) (664), different protocols are used before and after the encapsulation as in the VPN system by returning an ACK from the encapsulation controller (201) to the transmission / reception controller (202A). Even in the environment where the communication occurs, the consistency of communication can be maintained by maintaining the state where one ACK is delayed.

  As described above, in addition to transmitting an ACK for the data packet received immediately before, an ACK for at least the previous data packet such as two or three before may be transmitted. In addition to sending no ACK to the first packet 110, an ACK that does not include the reception sequence number corresponding to the tail data of the first packet (for example, 0 to 1459) is returned, and the first packet 110 The ACK including the reception sequence number corresponding to the tail data may not be returned.

<10. Hardware configuration of tunneling apparatus # 1>
FIG. 10 shows an example of a hardware configuration for realizing the tunneling apparatus # 1 (200) shown in FIG. In the configuration example of FIG. 10, the tunneling device # 1 (200) includes a CPU (Central Processor Unit) (151), a RAM (Random Access Memory) (154), an input device (155), a display device (153), and A computer (electronic computer) having a general configuration to which an external storage device (156) is connected via an interface (152).

  The input device 155 is, for example, a keyboard or a mouse, the display device (153) is a display for display, and the external storage device (156) is an HDD (Hard Disk Drive). The CPU (151) implements the encapsulation control unit (201), transmission / reception control unit (202), and session path control unit (203) shown in FIG. 1 as processes by executing a program loaded on the RAM (154). Turn into. The interface (152) is an internal path for transmitting and receiving data between each component in the apparatus. The external storage device (156) includes each database (storage unit (206), etc.) and a encapsulation control unit. (201), execution programs of the transmission / reception control unit (202) and the session path control unit (203) are stored.

  The above configuration may be configured by a single computer, or may be configured by another computer in which any part of the input device, output device, CPU, RAM, and storage device is connected via a network. .

  Hereinafter, Example 2 will be described with reference to FIGS.

  FIG. 11 shows a system in which the tunneling device # 1-1 (200) is installed at the boundary between the local LAN and the WAN, and the tunneling device # 1-2 (250) is set at the boundary between the LAN and the WAN at the opposite site. Have been described.

  The tunneling device # 1-1 (200) in FIG. 11 has the same configuration as the tunneling device # 1 (200) in FIG. In FIG. 11, the tunneling device # 2 (300) of FIG. 1 is replaced with a tunneling device # 1-2 (250) having the same configuration as the tunneling device # 1-1 (200). Therefore, the same components as those in FIG. In the example of FIG. 11, the terminal (101) connected to the LAN # 1 (151) and the terminal (111) connected to the LAN # 2 communicate via a total of eight TCP communications. .

  The tunneling apparatus # 1-2 (250) includes a network interface NIF0 (254), NIF1 (255), a encapsulation control unit (251), a transmission / reception control unit (252), and a session path control unit (253).

  Hereinafter, with reference to FIG. 11, the operation in the present embodiment will be described by taking as an example the case of transmitting a packet to terminal (101) and terminal (111).

  The TCP (102) of the terminal (101) transmits a packet for the TCP (112) of the terminal (111). The operation of the tunneling apparatus # 1-1 (200) is the same as that described in FIGS. 2A and 2B and is omitted because it is the same as that of the first embodiment. Also, the operation of the tunneling device # 1-2 (250) is symmetric with the transmission / reception operation of the tunneling device # 1-1 (200).

FIG. 12 is a sequence diagram of packets of each control unit TCP in the system of FIG.
FIG. 12 illustrates a method of returning an ACK when the transmission / reception control unit (202) of the tunneling apparatus # 1-1 (200) according to the present embodiment makes a proxy response to the transmission terminal. 111 shows a sequence diagram when two data packets (DATA # 1 (751), DATA # 2 (758)) are transmitted toward (111).

  Normally, when TCP receives DATA # n, it sends back ACK # n corresponding to DATA # n, but the transmission / reception control unit (202) of the tunneling device (200) receives DATA # 1 (751) as the first packet. ACK # 1 is not returned even if received. The transmission / reception control unit (202) of the tunneling device (200) receives DATA # 2 (758), which is the second packet, and then returns ACK # 1 (765), which is the ACK packet for the first packet. To do.

  Even if terminal (101) transmits DATA # 2 (758), which is the second packet, it has only received ACK # 1 (765) for the second packet, so transmission has not been completed. It is still judged.

  The transmission / reception control unit (202) of the tunneling apparatus # 1-1 (200) receives the second packet DATA # ′ 2 (DATA # 2) (760), and then receives the first packet (753). ACK # 1 (766), which is an ACK packet for, is returned as a proxy response. Since WAN DATA (504) of ACK # 1 (766) is empty at this time, when the encapsulation control unit (201) decapsulates, the WAN DATA (504) does not contain a packet, and the encapsulation control unit (201 ) Does not return to the transmission / reception control unit (202).

  When the encapsulation control unit (251) of the tunneling device # 1-2 (250) receives ACK # 1 (769), which is a non-empty ACK packet, the WAN DATA (504) decapsulates the packet. Is transmitted to the transmitting side as ACK # 1 (768) which is an ACK packet for the packet.

  Only when DATA # 2 (764), which is the second packet, arrives at the terminal (111) from the transmission / reception control unit (252) of the tunneling apparatus # 1-2 (250), the last ACK for the second packet is received. # 2 (780) is returned from the terminal (111), and the terminal (111) determines that the reception is completed.

  When receiving the ACK # 1 (772) that is an ACK packet, the encapsulation control unit (251) of the tunneling apparatus # 1-2 (250) encapsulates the packet, and ACK ′ that is an ACK packet for the first packet. It is transmitted to the transmitting side as # 1 (ACK # 1) (771).

  When the encapsulation control unit (251) of the tunneling apparatus # 1-2 (250) receives ACK # 2 (778) that is the last ACK packet, it encapsulates the packet, and the last ACK packet for the second packet. Is transmitted to the transmitting side as ACK '# 2 (ACK # 2) (777).

  Upon receiving ACK # ′ 1 (ACK # 1) (769) as an ACK packet, the encapsulation control unit (201) of the tunneling apparatus # 1-1 (200) receives ACK # as an ACK packet for the first packet. 1 (768) is transmitted to the transmission side.

  When the encapsulation control unit (201) of the tunneling apparatus # 1-1 (200) receives ACK # ′ 2 (ACK # 2) (775) which is the last ACK packet, it is an ACK packet for the second packet. It transmits to the transmission side as ACK # 2 (774).

  When the transmission / reception control unit (202) of the tunneling apparatus # 1-1 (200) receives ACK # 2 (773) which is the last ACK packet, ACK # 2 (ACK # 2 (last ACK packet for the second packet) is received. 773) to the terminal (101).

  The terminal (101) receives ACK # 2 (773), which is the last ACK packet, and determines that transmission has been completed.

  Unless the terminal (111) determines that the reception is completed, the last ACK packet is not returned to the terminal (101), and the terminal (101) does not determine that the transmission is completed. Communication is not terminated without receiving a packet.

The capsulation control unit TCP (201) does not return an ACK from the encapsulation control unit (201) to the transmission / reception control unit (202) in response to ACK # 1 (766) returned by the transmission / reception control unit (202) as a proxy response. ACK '# 1 (ACK # 1) (664) uses different protocols before and after encapsulation, such as a VPN system, by returning ACK from the encapsulation control unit (201) to the transmission / reception control unit (202). Even in an environment in which communication occurs, the consistency of communication can be maintained by maintaining a state in which one ACK is delayed.
As described above, in addition to transmitting an ACK for the data packet received immediately before, an ACK for at least the previous data packet such as two or three before may be transmitted. In addition to sending no ACK to the first packet 110, an ACK that does not include the reception sequence number corresponding to the tail data of the first packet (for example, 0 to 1459) is returned, and the first packet 110 The ACK including the reception sequence number corresponding to the tail data may not be returned.

101 terminal 102 TCP
103 IP
104 NIF0
111 terminal 112 TCP
113 IP
114 NIF0
151 LAN # 1
152 WAN
153 LAN # 2
200 Tunneling device # 1
201 Encapsulation control unit 202 Transmission / reception control unit 203 Session path control unit 204 NIF0
205 NIF1
300 Tunneling device # 2
301 Encapsulation control unit 304 NIF1
305 NIF0

Claims (15)

A communication device connected to the first network and the second network for transmitting and receiving packets,
A first interface connected to the first network;
A second interface connected to the second network;
A first network side transmission / reception control unit for controlling a packet transmission / reception amount of the first interface based on the first protocol, having a encapsulation control unit for converting a communication protocol by performing encapsulation / decapsulation of the packet; ,
A second network-side transmission / reception control unit for controlling the packet transmission / reception amount of the second interface based on a second protocol;
A transmission buffer for holding packets to be transmitted, a reception buffer for holding received packets, and a storage unit having a state table for managing connections for each entry;
Management information is shared for each connection between the first network side transmission / reception control unit and the second network side transmission / reception control unit, and a packet transmission / reception amount is controlled based on the shared management information. Communication device. The same transmission / reception control unit carries the function of the first network side transmission / reception control unit and the function of the second network side transmission / reception control unit,
By adding tag information including connection information to the management information, switching the functions of the first network side transmission / reception control unit and the second network side transmission / reception control unit in the same transmission / reception control unit Features
The communication apparatus according to claim 1. The same transmission / reception control unit carries the function of the first network side transmission / reception control unit and the function of the second network side transmission / reception control unit,
By adding tag information including connection information to the management information, the information of the state table is shared as the management information,
The communication apparatus according to claim 1. The first network side transmission / reception control unit controls the packet transmission / reception amount of the first interface based on TCP,
The communication device according to claim 2 or 3. The second network side transmission / reception control unit controls the packet transmission / reception amount of the second interface based on TCP,
The communication device according to claim 2 or 3. Between the first network side transmission / reception control unit and the second network side transmission / reception control unit, at least one of reception window size, congestion window size, RTT, packet discard rate, and throughput as the management information for each connection Share one,
The communication device according to claim 2 or 3. A first interface connected to the first network and receiving packets according to a first protocol;
A second interface connected to a second network and transmitting the packet according to a second protocol;
A encapsulation control unit that converts a protocol between the first protocol and the second protocol by performing encapsulation and decapsulation of the packet;
A packet transmission / reception amount of the first interface based on the first protocol, and a transmission / reception control unit for controlling the packet transmission / reception amount of the second interface based on the second protocol;
A session path control unit that receives a packet from the first interface and a packet that has passed through the encapsulation control unit from the first interface, and inputs the packet to the transmission / reception control unit with a tag that enables identification of both. And
The transmission / reception control unit transmits a packet from the first interface to the encapsulation control unit, and transmits a packet from the encapsulation control unit to the second interface.
Communication device. The transmission / reception control unit includes a first TCP,
The encapsulation control unit includes a second TCP,
The second TCP performs flow control and congestion control with the first TCP,
The first TCP performs flow control and congestion control with the TCP that is the connection destination of the first interface, and is connected to the TCP that is the connection destination of the second TCP and the second interface. Perform flow control and congestion control selectively between
The communication device according to claim 7. The first TCP and the second TCP have access to a common state table for the flow control and congestion control.
The communication device according to claim 8. The state table is
Store at least one of reception window size, congestion window size, RTT, packet discard rate, and throughput for each connection.
The communication device according to claim 9. The tag is a tag that can identify the connection,
Stored in the state table,
The communication apparatus according to claim 10. The session path control unit further includes:
The packet from the second interface and the packet that has passed through the encapsulation controller from the second interface are input, with a tag that can identify both, and input to the transmission / reception controller,
The transmission / reception control unit transmits a packet from the second interface to the encapsulation control unit, and transmits a packet from the encapsulation control unit to the first interface.
The communication device according to claim 7. A first terminal, a first communication device, a second communication device, a second terminal, a first network between the first terminal and the first communication device, and the first communication device A communication system comprising a second network between the second communication devices, a third network between the second communication device and the second terminal,
The first communication device is:
A first interface connected to the first network and receiving packets according to a first protocol;
A second interface connected to the second network and transmitting the packet according to a second protocol;
A encapsulation control unit that converts a protocol between the first protocol and the second protocol by performing encapsulation and decapsulation of the packet;
A packet transmission / reception amount of the first interface based on the first protocol, and a transmission / reception control unit for controlling the packet transmission / reception amount of the second interface based on the second protocol;
Session path control that receives a packet from the first interface and a packet from the first interface via the capsule control unit as an input, attaches a tag that makes the both identifiable, and inputs the tag to the transmission / reception control unit And
The transmission / reception control unit transmits a packet from the first interface to the encapsulation control unit, and transmits a packet from the encapsulation control unit to the second interface.
Communications system. The transmission / reception control unit includes a first TCP,
The encapsulation control unit includes a second TCP,
The second TCP performs flow control and congestion control with the first TCP,
The first TCP performs flow control and congestion control with the TCP that is the connection destination of the first interface, and is connected to the TCP that is the connection destination of the second TCP and the second interface. Perform flow control and congestion control selectively between
The first TCP and the second TCP have access to a common state table for the flow control and congestion control.
The communication system according to claim 13. The session path control unit further includes:
The packet from the second interface and the packet that has passed through the encapsulation controller from the second interface are input, with a tag that can identify both, and input to the transmission / reception controller,
The transmission / reception control unit transmits a packet from the second interface to the encapsulation control unit, and transmits a packet from the encapsulation control unit to the first interface.
The communication system according to claim 13 or 14.

Images